Description
The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.
Published: 2026-05-21
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ConnectWise Automate Agent does not fully verify the authenticity of components that are loaded as plugins or obtained during self‑update operations. If an attacker supplies a malicious component or corrupts the update stream, the agent could execute arbitrary code with the privileges of the agent process. The impact is a full compromise of any machine running the affected Agent, allowing an attacker to gain confidentiality, integrity, or availability control.

Affected Systems

The vulnerability affects ConnectWise Automate, both Cloud and on‑premises deployments. On‑prem users must apply the 2026.5 release to remediate; Cloud instances have already been updated to the latest version according to the vendor advisory. No specific sub‑versions beyond 2026.5 are listed.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity. The EPSS score is not available, so the current probability of exploitation cannot be quantified from the data. The vulnerability is not listed in CISA KEV. Based on the components involved, the likely attack vector is during the plugin loading or automatic update process, which may be triggered by a remote update server. An attacker would need the ability to influence the update stream or supply a malicious plugin, which could be achieved through compromised update endpoints or social engineering of authenticated users.

Generated by OpenCVE AI on May 21, 2026 at 17:20 UTC.

Remediation

Vendor Solution

Cloud: Cloud instances have already been updated to the latest Automate release.    On-prem: Apply the 2026.5 release. For instruction on updating to the newest release, please reference this doc: ConnectWise Automate Release Notes 2026.5

OpenCVE Recommended Actions

  • Apply the Automate 2026.5 release for on‑prem installations using the vendor provided update guide.
  • Ensure that all plugin components are signed and validated; do not allow unsigned or external plugins to be installed by the agent.
  • Configure the agent to reject any component that fails authenticity verification and monitor logs for failed verification attempts.

Generated by OpenCVE AI on May 21, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Agent Fails to Verify Authenticity of Plugin Components During Update
First Time appeared Connectwise
Connectwise automate
Vendors & Products Connectwise
Connectwise automate

Thu, 21 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.
Weaknesses CWE-494
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Connectwise Automate
cve-icon MITRE

Status: PUBLISHED

Assigner: ConnectWise

Published:

Updated: 2026-05-21T15:55:31.691Z

Reserved: 2026-05-20T15:02:32.409Z

Link: CVE-2026-9089

cve-icon Vulnrichment

Updated: 2026-05-21T15:55:28.169Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T16:16:23.570

Modified: 2026-05-21T19:10:21.527

Link: CVE-2026-9089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T17:30:15Z

Weaknesses